Solved

active directory - allow users to login to OWA and Sharepoint site only, not interactive on desktop PC

Posted on 2014-12-09
3
664 Views
Last Modified: 2014-12-10
Hi there
So we have a requirement to allow certain users to login to their email via OWA and to a Sharepoint site but they should not be permitted to logon to the network in the office on a PC and therefore no access to shared drives etc.
Is there a way to do this in group policy or another way?
many thanks
0
Comment
Question by:stack888
3 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40491476
Have you tried setting their "Log on to" in the AD user properties?  I'm not sure that works, though, I seem to recall in the past admins having a problem with this method.  Another possibility would be to create a special global group with restricted rights and then give that group only the necessary rights to log on to the Sharepoint and OWA sites. For Sharepoint, they would also need the necessary NTFS permissions to access any documents or other services and/or storage areas on your network to use the data that is being served through the Sharepoint site.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40492032
Log on to tab in AD will definitely work

You need to create any fake computer account in AD and you need to edit properties of all required users and add this computer account, so that they can't logon to any other computers locally
In addition to above you need to restrict them on Remote Desktop services profile tab as well
U need to select check box "deny this user to logon to remote desktop session host server

Lastly, the below solution should work \ will work 100%
1st create one security group and add all required users to that group
At domain level create new group policy and in that policy enable deny logon locally and deny logon thru terminal services user rights setting and add above group there
These users will not be able to logon to any servers \ desktops trough RDP \ locally

Test any of above solution prior to deploy full flesh

Mahesh
0
 
LVL 2

Author Closing Comment

by:stack888
ID: 40492361
Mahesh, i ended up using pretty much your solution.
thanks!

This is what i did:

Create a group "Users Denied Interactive Logon", and make the relevant users a member.
Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question